1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.assertionStates;
20
21 import javax.xml.namespace.QName;
22
23 import org.apache.wss4j.common.WSSPolicyException;
24 import org.apache.wss4j.policy.SP13Constants;
25 import org.apache.wss4j.policy.SPConstants;
26 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
27 import org.apache.wss4j.policy.model.AbstractToken;
28 import org.apache.wss4j.policy.model.UsernameToken;
29 import org.apache.wss4j.policy.stax.PolicyAsserter;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
32 import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
34 import org.apache.xml.security.exceptions.XMLSecurityException;
35 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
36 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
37 import org.apache.xml.security.stax.securityToken.SecurityToken;
38
39
40
41
42
43 public class UsernameTokenAssertionState extends TokenAssertionState {
44
45 public UsernameTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
46 PolicyAsserter policyAsserter, boolean initiator) {
47 super(assertion, asserted, policyAsserter, initiator);
48
49 if (asserted) {
50 UsernameToken usernameToken = (UsernameToken) getAssertion();
51 String namespace = usernameToken.getName().getNamespaceURI();
52 if (usernameToken.getPasswordType() != null) {
53 getPolicyAsserter().assertPolicy(new QName(namespace, usernameToken.getPasswordType().name()));
54 }
55 if (usernameToken.isCreated()) {
56 getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
57 }
58
59 if (usernameToken.isNonce()) {
60 getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
61 }
62
63 if (usernameToken.getUsernameTokenType() != null) {
64 getPolicyAsserter().assertPolicy(new QName(namespace, usernameToken.getUsernameTokenType().name()));
65 }
66 }
67 }
68
69 @Override
70 public SecurityEventConstants.Event[] getSecurityEventType() {
71 return new SecurityEventConstants.Event[]{
72 WSSecurityEventConstants.USERNAME_TOKEN
73 };
74 }
75
76 @Override
77 public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
78 AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
79 if (!(tokenSecurityEvent instanceof UsernameTokenSecurityEvent)) {
80 throw new WSSPolicyException("Expected a UsernameSecurityTokenEvent but got " + tokenSecurityEvent.getClass().getName());
81 }
82 UsernameSecurityToken usernameSecurityToken = (UsernameSecurityToken) tokenSecurityEvent.getSecurityToken();
83 UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) tokenSecurityEvent;
84 UsernameToken usernameToken = (UsernameToken) abstractToken;
85
86 String namespace = getAssertion().getName().getNamespaceURI();
87 if (usernameToken.getPasswordType() != null) {
88 switch (usernameToken.getPasswordType()) {
89 case NoPassword:
90 if (usernameTokenSecurityEvent.getUsernameTokenPasswordType()
91 != WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
92 setErrorMessage("UsernameToken contains a password but the policy prohibits it");
93 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.NO_PASSWORD),
94 getErrorMessage());
95 return false;
96 }
97 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.NO_PASSWORD));
98 break;
99 case HashPassword:
100 if (usernameTokenSecurityEvent.getUsernameTokenPasswordType()
101 != WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
102 setErrorMessage("UsernameToken does not contain a hashed password");
103 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD),
104 getErrorMessage());
105 return false;
106 }
107 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD));
108 break;
109 }
110 } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
111
112 setErrorMessage("UsernameToken must contain a password");
113 getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
114 return false;
115 } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
116
117 setErrorMessage("UsernameToken password must not be hashed");
118 getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
119 return false;
120 }
121 if (usernameToken.isCreated()) {
122 if (usernameSecurityToken.getCreatedTime() == null
123 || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
124 setErrorMessage("UsernameToken does not contain a created timestamp or password is not plain text");
125 getPolicyAsserter().unassertPolicy(SP13Constants.CREATED, getErrorMessage());
126 return false;
127 } else {
128 getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
129 }
130 }
131
132 if (usernameToken.isNonce()) {
133 if (usernameSecurityToken.getNonce() == null
134 || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
135 setErrorMessage("UsernameToken does not contain a nonce or password is not plain text");
136 getPolicyAsserter().unassertPolicy(SP13Constants.NONCE, getErrorMessage());
137 return false;
138 } else {
139 getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
140 }
141 }
142
143 if (usernameToken.getUsernameTokenType() != null) {
144 switch (usernameToken.getUsernameTokenType()) {
145 case WssUsernameToken10:
146 if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
147 && usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
148 setErrorMessage("Policy enforces UsernameToken profile 1.0 but we got 1.1");
149 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10),
150 getErrorMessage());
151 return false;
152 }
153 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10));
154 break;
155 case WssUsernameToken11:
156 if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
157 && !usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
158 setErrorMessage("Policy enforces UsernameToken profile 1.1 but we got 1.0");
159 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11),
160 getErrorMessage());
161 return false;
162 }
163 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11));
164 break;
165 }
166 }
167
168
169 getPolicyAsserter().assertPolicy(getAssertion());
170 return true;
171 }
172 }